How to launch and run a successful bug bounty program: A security team perspective

Launching a bug bounty program is hard. Running and maintaining a successful bug bounty program is even harder. Using real-world stories of both failure and success, Alexandra Ulsh details how Mapbox's security team used tools, processes, automation, and empathy to decrease response time by 90%, reduce noise, and improve average report quality for its bug bounty program.

Launching a bug bounty program is hard. Running and maintaining a successful bug bounty program is even harder. Though bug bounty programs are becoming increasingly popular, a poorly managed bug bounty program can paradoxically introduce more risk. If properly run, however, the security benefits of a responsive, efficient, and empathetic bug bounty program are priceless. Using real-world stories of both failure and success, Alexandra Ulsh details how Mapbox’s security team used tools, processes, automation, and empathy to decrease response time by 90%, reduce noise, and improve average report quality for its bug bounty program. Alex walks you through how Mapbox launched its bug bounty program—first privately, then publicly—and how the company used this emerging cornerstone of application security to improve product security, mitigate risk, and save money, all while maintaining the work-life balance of a relatively small security team. You’ll hear real stories about ways the bug bounty program failed and what the team did to fix it. Using popular SaaS collaboration and incident response tools you may already be using, such as HelpScout, PagerDuty, GitHub, and Slack, Alex show you how to create an effective, responsive, and complete bug bounty workflow, from report submission all the way to public disclosure. These tools, as well as other processes Mapbox implemented, drastically improved average time to first response from upwards of a week to within 12 hours. Alex also shares architecture diagrams and code samples for how these tools were integrated so that you can practically implement these solutions at your own organization along with practical tips on how to use automation and clear program guidelines to both reduce noise and increase the average quality of reports. You’ll learn how empathy, vulnerability, and transparency with security researchers leads to higher hacker engagement and mutually beneficial collaboration, how to take the final nerve-wracking step of security vulnerability public disclosure, and how improving Mapbox’s bug bounty workflow process led to a radical overhaul of its security incident response process, culminating in a formal security incident response framework.